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Senator Craig J. Zucker, Co-Chair, Joint Audit Committee 
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Members of Joint Audit Committee 
Annapolis, Maryland 

Ladies and Gentlemen: 

We have conducted a fiscal compliance audit of the Department of Human 
Services (DHS) - Child Support Administration (CSA) for the period beginning 
May 5, 2014 and ending July 17, 2017. CSA is responsible for operating the 
Statewide child support program, which includes the establishment of paternity 
and child support orders, and the collection and distribution of child support 
payments. For the federal fiscal year ended September 30, 2017, child support 
collections totaled $566 million and unpaid child support due from obligors (non¬ 
custodial parents) totaled $1.3 billion at that date. 

Our audit disclosed that controls were inadequate to ensure that delinquent 
obligors’ driver’s licenses were appropriately reinstated by the Motor Vehicle 
Administration under the driver’s license suspension program after obligors made 
payments to CSA to remove the delinquency. The audit also disclosed issues with 
unnecessary CSA employee access to the Child Support Enforcement System and 
the need to ensure that the vendor maintaining the State’s new hire registry 
complied with the contract’s system security requirements and appropriately 
safeguarded personally identifiable information on Maryland workers. 

In addition, CSA did not monitor an interagency agreement with a State 
university to ensure that the university complied with contract terms and provided 
the required deliverables and services. CSA also did not appropriately oversee 
the development of an application by the university under this agreement. Total 
payments from inception through October 3, 2018 were $5.7 million. 

Furthermore, the audit disclosed inadequate internal controls over child support 
account adjustments and CSA’s manual checking account. 
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Finally, our audit included a review to determine the status of the six findings 
contained in our preceding audit report. We determined that CSA satisfactorily 
addressed these findings. 

DHS’ response to this audit, on behalf of CSA, is included as an appendix to this 
report. In accordance with State law, we have reviewed the response and, while 
CSA agrees with the recommendations in this report, we identified certain 
instances in which statements in the response conflict with or disagree with the 
report findings. In each instance, we reviewed and reassessed our audit 
documentation, and reaffirmed the validity of our finding. In accordance with 
generally accepted government auditing standards, we have included “auditor 
comments” within DHS’ response to explain our position. Finally, there are other 
aspects of DHS’ response which will require further clarification, but we do not 
anticipate that these will require the Committee’s attention to resolve. 

We wish to acknowledge DHS’ and CSA’s willingness to address the audit issues 
and implement appropriate corrective actions. 


Respectfully submitted, 




Gregory A. Hook, CPA 
Legislative Auditor 
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Background Information 


Name Change and Agency Responsibilities 

Chapter 205, Laws of Maryland 2017, effective July 1, 2017, changed the name 
of the Department of Human Resources to the Department of Human Services 
(DHS), and changed the name of the Child Support Enforcement Administration, 
a unit within DHS, to the Child Support Administration (CSA). 

CSA is responsible for operating the Statewide child support program. CSA 
provides services to both the noncustodial and custodial parents, which include 
the establishment of paternity and child support orders, the collection of child 
support payments, and the distribution of such funds. 

Local child support offices, under CSA’s oversight, and other state and local 
government agencies (such as State’s Attorneys’ Offices) perform various child 
support services. Furthermore, a private vendor, under contract to CSA, provides 
child support functions in Baltimore City, which handles approximately 27 
percent of the State’s child support cases. In addition, CSA uses the services of 
two additional private vendors—one vendor maintains the new hire registry, 
which is used to identify noncustodial parent wages on a Statewide basis, and the 
other vendor centrally receives, processes, and distributes child support payments. 
CSA’s Child Support Enforcement System (CSES) is used to record child support 
case information, including enforcement efforts, and to account for the collection 
and subsequent distribution of support payments. CSES also provides financial 
and statistical data for management oversight purposes, and has certain automated 
enforcement features to aid in the collection function. 

According to CSA’s records, during federal fiscal year 2017 (October 1, 2016 
through September 30, 2017), Statewide child support collections totaled 
approximately $566 million, representing an increase of approximately one 
percent compared to the year-ended September 2014. As of September 2017, the 
CSA open caseload totaled approximately 196,867, and the Statewide unpaid 
child support due from obligors totaled approximately $1.3 billion, representing 
virtually no change from the September 2014 unpaid balance. According to the 
State’s records, CSA’s operating expenditures for State fiscal year 2017 totaled 
approximately $44 million. This excludes local child support office expenditures, 
which are included in a separate DHS budgetary unit. 
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Enforcement Action Overview 


Child support services are generally performed by local offices throughout the 
State, including the Baltimore City office where a vendor provides the services, 
with oversight and administration provided by CSA central office personnel. 

CSA uses several enforcement tools to pursue court-ordered child support when 
an obligor does not pay fully or on time. These tools include withholding wages, 
intercepting tax refunds, and seizing funds in personal bank accounts. The 
primary source to facilitate the identification of wages for withholding is the 
State’s new hire registry which is an automated system for collecting, storing, and 
extracting employer-reported information on new hires, mandated by federal law. 
The system is maintained by a vendor under contract to DHS. Other enforcement 
tools provided for in State law include driver’s license and occupational license 
suspensions. For example, State law permits the suspension of driver’s licenses 
by the Motor Vehicle Administration (MVA) when an obligor is at least 60 days 
delinquent in child support payments. 

Status of Findings From Preceding Audit Report 

Our audit included a review to determine the status of the six findings contained 
in our preceding audit report dated June 26, 2015. We detennined that CSA 
satisfactorily addressed these findings. 
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Findings and Recommendations 


Driver’s License Suspension Program 


Finding 1 

Controls over driver’s license reinstatements were inadequate to ensure their 
propriety. 


Analysis 

Child Support Administration’s (CSA) controls over driver’s license 
reinstatements processed under CSA’s driver’s license suspension program were 
inadequate. State law provides that CSA may refer a delinquent obligor to the 
Motor Vehicle Administration (MVA) requesting suspension of his or her driver’s 
license when the obligor is at least 60 days out of compliance with the most recent 
child support court order. Once the obligor is back in compliance, local office 
caseworkers notify MVA via a faxed letter to reinstate the driver’s license. Our 
audit disclosed that these reinstatements were often not subject to documented 
CSA supervisory review and approval. According to CSA records, 3,476 driver’s 
license reinstatements were performed in the month of December 2017. 

CSA policy requires supervisory review and approval of driver’s license 
reinstatements processed by local office caseworkers; however, an automated 
monthly report of driver’s license reinstatements processed in the Child Support 
Enforcement System (CSES) was not generated by local offices to facilitate this 
supervisory review process. Without such a source document of all recorded 
reinstatements, it would not be possible to ensure that all driver’s license 
reinstatements were subject to the required supervisory review. In this regard, we 
noted that 774 CSES users statewide (caseworkers and supervisors) had access to 
record a reinstatement in CSES, which will result in a reinstatement notification 
to be sent to MVA. 

Our test of 15 reinstated driver’s licenses from 10 local offices (selected from 
CSES) disclosed that, in 9 instances, there was no documented supervisory review 
and approval of the reinstatement. In addition, we reviewed the 15 cases to 
determine if there was sufficient documentation to justify the driver’s license 
reinstatement. We noted that one reinstatement that had been subject to 
supervisory review and approval lacked adequate documentation to justify the 
reinstatement. 

Recommendation 1 

We recommend that CSA ensure that local offices take appropriate action, 
such as by requiring the use of the monthly reinstatement report, to ensure, 
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at least on a test basis, that driver’s license reinstatements are proper and 
have been subject to supervisory review and approval as required. 


Child Support Account Adjustments 


Finding 2 

CSA could not always provide evidence of supervisory reviews of child 
support account adjustments by independent personnel. 


Analysis 

CSA could not provide documentation that required monthly independent 
supervisory reviews of child support account adjustments (such as, adjustments to 
the balance of child support owed) were performed at each local office. In 
addition, when documentation was available of supervisory reviews at a local 
office, we noted that the reviews were not always perfonned by an independent 
employee. According to CSA policy, a supervisor at each local child support 
office must use monthly adjustment reports from CSES to perform a documented, 
test basis review of account adjustments processed during the month. 

We requested documentation in December 2017 of the supervisory reviews of 
account adjustments for all 24 local child support offices for the month of June 
2017. CSA advised us that all local offices had perfonned these reviews; 
however, CSA could not provide adequate documentation of a review of account 
adjustments for 7 local offices, including the 3 largest local offices. According to 
CSA records, during June 2017, approximately $15 million in account 
adjustments were processed, of which $7.4 million in adjustments were processed 
at the aforementioned 7 offices where there was no adequate documentation of 
account adjustment reviews. 

Furthermore, at 4 of the 17 offices where supervisory reviews were documented, 
we found that the employees who performed the supervisory reviews also had the 
ability to process adjustments, and consequently would not be independent. We 
then perfonned a test at these 4 offices during June 2017 and found that 
supervisory employees initially processed 19 account adjustments totaling $8,000. 
As a result, erroneous or fraudulent transactions could be processed without 
detection. 

Recommendation 2 

We recommend that CSA ensure that account adjustments are subject to a 
documented monthly review by an independent supervisor on a test basis, as 
required. 
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Child Support Enforcement System Access 


Finding 3 

CSA did not ensure that central and local office personnel conducted 
periodic reviews of employee access to CSES, as required, and we noted that 
critical access had been unnecessarily granted to certain employees. 


Analysis 

CSA did not ensure that employee access to CSES was subject to a periodic 
review for propriety as required, and we noted a number of employees with 
critical system access that was not required for their job duties. CSES is used to 
record child support case infonnation, including enforcement efforts, and to 
account for the collection and subsequent distribution of support payments. 

CSA could not document that required periodic access reviews had been 
performed for central office personnel and for personnel at all 24 local offices 
during the audit period. In addition, during our audit, we identified 15 CSA 
employees with critical system access as of May 10, 2017, which was 
unnecessary for their job duties. Specifically, 4 employees at 3 local offices had 
user access which allowed them to enter or edit customer direct deposit 
information in CSES, and 12 employees at 11 local offices (including one 
employee in the 4 noted above) had user access to process manual distributions in 
CSES, which allowed these employees to manually record payments to a 
customer account. These employees did not need such access since these 
functions were the responsibility of CSA’s State Disbursement Unit vendor, 
which centrally receives and processes child support payments. 

As of May 2017, there were 980 CSA employees with various CSES edit 
accesses. According to the DHS Information Systems Security Handbook, at least 
annually, DHS supervisors should review their employees’ current job duties and 
compare them to the employees’ current security access level to determine if any 
modifications are needed. According to CSA records, during federal fiscal year 
2017 (October 1, 2016 through September 30, 2017), Statewide child support 
collections totaling approximately $566 million were recorded in CSES. 

Recommendation 3 
We recommend that CSA 

a. comply with the aforementioned DHS Handbook and ensure that each 
employee’s access to CSES is reviewed annually and that the reviews are 
documented; and 

b. remove any unnecessary CSES access, including those noted above. 
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New Hire Registry Contract Security Requirements 


Finding 4 

CSA did not ensure that the vendor responsible for administering the State’s 
new hire registry complied with the contract’s system security requirements 
and safeguarded sensitive personally identifiable information on Maryland 
workers. 


Analysis 

CSA did not ensure that the vendor that operates and maintains the State’s new 
hire registry complied with the contract’s system security requirements and that 
sensitive personally identifiable (PII) infonnation on Maryland workers was 
appropriately safeguarded. The registry is an automated system for collecting, 
storing, and extracting employer-reported information on new employee hires as 
mandated by federal law, with the primary goal of increasing child support 
collections by identifying wages of noncustodial parents who may be eligible for 
wage withholding. The vendor processes all new hire reports for Maryland 
employers and transmits the information to CSA to be uploaded to CSES. The 
original contract term was for a three-year period beginning November 2013 and 
contained two one-year renewal options. As of December 2016, the estimated 
total contract value was approximately $1.2 million. 

The registry includes sensitive PII for employees such as name, address, date of 
birth, and social security number. The contract required the vendor to ensure 
proper security for the registry, including the implementation of firewalls, the use 
of encryption, and the logging of changes to network devices, as well as to 
maintain the confidentiality of information, to implement authorization controls, 
and to develop a disaster recovery plan. However, there was no requirement in 
the contract for these security measures to be independently verified or assessed. 
After our inquiry, CSA provided us with certain vendor-provided assertions 
regarding the security measures it had taken in the form of two one-page letters 
(one of which was undated); however, the infonnation provided by the vendor 
was general in nature and CSA had taken no documented action to verify the 
vendor’s assertions and to ensure the security measures in place were sufficient. 
While the number of employee records processed was not readily available, for 
the five months of invoices which we reviewed (dating between June 2016 and 
March 2017), the vendor was paid approximately $141,000 for processing 
546,000 records. 

PII is commonly associated with identity theft. Accordingly, appropriate 
information system security controls need to exist to ensure that PII is 
safeguarded and not improperly disclosed. The State of Maryland Information 
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Security Policy requires that agencies protect confidential data using encryption 
technologies and/or other substantial mitigating controls and the vendor is 
required to adhere to the Policy. 

One option to obtain comprehensive and independent assurance of the 
safeguarding of data by service organizations is a System and Organization 
Controls (SOC) report issued by an independent auditor, which is the subject of 
guidance from the American Institute of Certified Public Accountants. One type 
of report, referred to as a SOC 2 Type 2 report, includes the results of the 
auditor’s review of controls placed in operation and tests of operating 
effectiveness for the period under review and could include an evaluation of 
system security, availability, processing integrity, confidentiality, and/or privacy. 
In addition, subsequent to the awarding of the original contract, the Department of 
Budget and Management has advocated for a SOC review for certain contracts 
and now requires, through the use of a standard Request for Proposals template, 
certain contracts to include a clause requiring a SOC review (SOC 2 Type 2). 

Recommendation 4 
We recommend that 

a. CSA ensure that the vendor is properly complying with the contract’s 
system security requirements and, specifically, that all PII maintained on 
the vendor registry is adequately protected; and 

b. future contracts for the new hire registry include, as appropriate, a 
requirement for the vendor to obtain periodic SOC 2 Type 2 reviews, and 
that CSA obtain and review the resulting reports to ensure that sensitive 
worker data maintained by the vendor is properly safeguarded. 


Monitoring of Interagency Agreement 


Finding 5 

CSA did not properly monitor its interagency agreement with a State 
university for compliance with the agreement terms and did not ensure 
required services were provided. Payments related to the agreement totaled 
$5.7 million. 


Analysis 

CSA did not properly monitor its interagency agreement with a State university, 
including the development of an application by the university, and did not ensure 
that the university complied with the agreement terms and provided the required 
deliverables and services. CSA entered into an agreement with a university for 
local area network (LAN) services, which included LAN management, 
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application development and maintenance, onsite training, reporting, and periodic 
meetings. The agreement included specific monthly deliverables and details of 
the key personnel to be provided by the university. The agreement was for a five- 
year term from July 1, 2013 through June 30, 2018 for approximately $5.6 million 
and, as of June 2018, the agreement was valued at $6.1 million, including two 
change orders. From inception through October 3, 2018, total payments were 
$5.7 million. 

Our review found that required deliverables were not always provided, and 
payments were made on a cost reimbursable basis as reflected on monthly 
invoices, which did not provide any details on the actual services provided during 
the month. For example, rather than obtaining the required monthly progress 
reports to provide overviews of the activities of all related personnel and 
deliverables, CSA advised us that it relied on periodic verbal communication with 
the university staff to obtain information on the services performed and its 
progress on application development and other tasks. Some limited progress 
reports were provided during the audit period, but these reports were general in 
nature and sporadic. For example, the only status report available for the 
application development services covered the period from April 2014 through 
June 2014. Furthermore, there was no documentation to support that formal 
monthly monitoring meetings between the university and CSA staff were 
conducted, as required by the agreement. 

In addition, CSA was not able to document that onsite training from the university 
had occurred. The agreement funded a trainer to administer training programs to 
CSA personnel and to expand its current training program to include an online 
training portfolio, and to provide regional face-to-face training throughout the 
year. 

We also found that the university developed a new “dashboard” application to 
assist CSA staff in monitoring child support activity by interacting with CSES, 
and prompts employees to take required actions on cases. However it was 
developed without establishing project specifications or related deliverables and 
consequently, there was a lack of fonnal CSA monitoring during the development 
of the dashboard. Although according to CSA, the “dashboard” appeared to be 
successfully developed, we were advised that it was developed based on a 
methodology that relied on verbal agreements and discussions between the 
various parties. In our opinion, key decisions and events in the process should be 
documented for the record, to prevent misunderstandings and to fix responsibility. 
In addition to the lack of documentation of formal CSA monitoring of the 
project’s development, there was also no documentation of how the university 
ensured that the application included adequate measures for system security, 
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business continuity, and disaster recovery in accordance with the State of 
Maryland Information Security Policy, which governs such applications. 

Finally, the agreement was silent with respect to the ownership of the 
“dashboard” application, which was a point of dispute between CSA and the 
university during our audit period. While CSA entered into a new agreement with 
the university for a continuation of the same services, effective July 1, 2018, the 
ownership of the application was not resolved. 

Interagency agreements are used by State agencies to obtain services from State 
institutions of higher education (State universities). Interagency agreements are 
exempt from State procurement laws, including the requirements for competitive 
procurement, publication of solicitations and awards, and Board of Public Works’ 
approval. After our fieldwork, in accordance with State law, the Department of 
Budget and Management began a review of this agreement to determine whether 
the arrangement was appropriate and whether it would be in the best interest of 
the State to attempt to competitively procure these services going forward. 

Recommendation 5 
We recommend that CSA 

a. ensure that all required contract deliverables are provided before 
approval of payments; 

b. adequately document receipt of all requirements and deliverables under 
the aforementioned agreement, including those for the application 
development function; 

c. ensure that, as applicable, information technology work performed under 
interagency agreements complies with the State Information Security 
Policy ; and 

d. in consultation with legal counsel, resolve the dispute over ownership of 
the “dashboard” application. 


13 



Bank Accounts 


Finding 6 

Controls were inadequate over CSA’s checking account that was used to 
process certain refund payments, and outstanding checks were not 
forwarded to the Comptroller of Maryland as abandoned property when 
required. 


Analysis 

Sufficient controls were not established over disbursements from CSA’s checking 
account as one employee was given incompatible capabilities. The account was 
generally used to process refund payments to individuals or entities which did not 
have an account in CSES, such as to employers for misdirected wage 
withholdings. According to its records, CSA processed disbursements from this 
checking account totaling approximately $219,000 during the six-month period 
ending April 2017. Specifically, one CSA employee maintained control over the 
blank check stock, had administrative rights over the automated system used to 
process the disbursements, was one of two authorized check signers (dual 
signatures required on checks), and was responsible for approving the monthly 
bank reconciliation of the account. With administrative rights, this employee 
could print checks and record or delete transactions. In addition, this employee 
was one of the two authorized signers for wire transfers from the main child 
support disbursement account to ah of the other CSA bank accounts, including 
this checking account. 

We also noted that 625 outstanding checks totaling $170,000 that were issued 
during the years between 2003 and 2014 remained uncashed for more than three 
years as of March 2018, but had not been voided and forwarded to the 
Comptroller of Maryland as abandoned property, as required by State 
regulations. 

Recommendation 6 

We recommend that CSA ensure that 

a. authorized check signers do not have access to check stock or the ability 
to process checks on the automated system; 

b. administrative rights are assigned to an employee who has no checking 
account responsibilities; and 

c. checks that remain outstanding for longer than three years are voided 
and the associated funds are forwarded to the Comptroller of Maryland 
as abandoned property, as required. 
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We advised CSA on accomplishing the necessary separation of duties using 
existing personnel. 
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Audit Scope, Objectives, and Methodology 

We have conducted a fiscal compliance audit of the Department of Human 
Services (DHS) - Child Support Administration (CSA) for the period beginning 
May 5, 2014 and ending July 17, 2017. The audit was conducted in accordance 
with generally accepted government auditing standards. Those standards require 
that we plan and perform the audit to obtain sufficient, appropriate evidence to 
provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

As prescribed by the State Government Article, Section 2-1221 of the Annotated 
Code of Maryland, the objectives of this audit were to examine CSA’s financial 
transactions, records, and internal control, and to evaluate its compliance with 
applicable State laws, rules, and regulations. 

In planning and conducting our audit, we focused on the major financial-related 
areas of operations based on assessments of significance and risk. The areas 
addressed by the audit included enforcement procedures (for example, 
occupational and driver’s license suspensions and wage withholding), access and 
controls over CSA’s Child Support Enforcement System (CSES), monitoring of 
local child support offices, and contracts. We also determined the status of the 
findings contained in our preceding audit report. 

Our audit did not include various support services provided to CSA by DHS. 
These support services (such as payroll, purchasing, maintenance of accounting 
records, and related fiscal functions) are included within the scope of our audit of 
DHS’ Office of the Secretary and Related Units. Our audit also did not include an 
evaluation of internal controls over compliance with federal laws and regulations 
for federal financial assistance programs and an assessment of CSA’s compliance 
with those laws and regulations because the State of Maryland engages an 
independent accounting firm to annually audit such programs administered by 
State agencies, including CSA. 

To accomplish our audit objectives, our audit procedures included inquiries of 
appropriate personnel, inspections of documents and records, observations of 
CSA’s operations, and tests of transactions. Generally, transactions were selected 
for testing based on auditor judgment, which primarily considers risk. Unless 
otherwise specifically indicated, neither statistical nor non-statistical audit 
sampling was used to select the transactions tested. Therefore, the results of the 
tests cannot be used to project those results to the entire population from which 
the test items were selected. 
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We also performed various data extracts of pertinent information from the State’s 
Financial Management Information System (such as expenditure data). The 
extracts are performed as part of ongoing internal processes established by the 
Office of Legislative Audits and were subject to various tests to determine data 
reliability. We determined that the data extracted from this source were 
sufficiently reliable for the purposes the data were used during the audit. We also 
extracted data from CSES for the purpose of testing various enforcement efforts. 
We performed various tests of the relevant data and determined that the data were 
sufficiently reliable for the purposes the data were used during the audit. Finally, 
we performed other auditing procedures that we considered necessary to achieve 
our audit objectives. The reliability of data used in this report for background or 
informational purposes was not assessed. 

CSA’s management is responsible for establishing and maintaining effective 
internal control. Internal control is a process designed to provide reasonable 
assurance that objectives pertaining to the reliability of financial records; 
effectiveness and efficiency of operations, including safeguarding of assets; and 
compliance with applicable laws, rules, and regulations are achieved. 

Because of inherent limitations in internal control, errors or fraud may 
nevertheless occur and not be detected. Also, projections of any evaluation of 
internal control to future periods are subject to the risk that conditions may 
change or compliance with policies and procedures may deteriorate. 

Our reports are designed to assist the Maryland General Assembly in exercising 
its legislative oversight function and to provide constructive recommendations for 
improving State operations. As a result, our reports generally do not address 
activities we reviewed that are functioning properly. 

This report includes findings relating to conditions that we consider to be 
significant deficiencies in the design or operation of internal control that could 
adversely affect CSA’s ability to maintain reliable financial records, operate 
effectively and efficiently, and/or comply with applicable laws, rules, and 
regulations. Our report also includes findings regarding significant instances of 
noncompliance with applicable laws, rules, or regulations. Other less significant 
findings were communicated to CSA that did not warrant inclusion in this report. 

The response from DHS, on behalf of CSA, to our findings and recommendations 
is included as an appendix to this report. As prescribed in the State Government 
Article, Section 21224 of the Annotated Code of Maryland, we will advise DHS 
regarding the results of our review of its response. 
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APPENDIX 



MARYLAND DEPARTMENT OF 

HUMAN SERVICES 


Larry Hogan, Governor | Boyd K. Rutherford, Lt. Governor | Lourdes R. Padilla, Secretary 


April 26, 2019 


Mr. Gregory A. Hook 
Legislative Auditor 
Office of Legislative Audits 
301 West Preston Street, Room 1202 
Baltimore, Maryland 21201 

Mr. Hook, 

Please find enclosed the Department of Human Services’ (DHS) response to the draft Legislative 
Audit Report of the Department of Human Services - Child Support Administration for the period 
beginning May 5, 2014 and ending July 17, 2017. 

If you have any questions regarding the responses, please contact Inspector General Kevin Carson at 
443-378-4060 or at kevin.carson@maryland.gov. 



Enclosures: 

cc: 

Gregory James, Deputy Secretary, Operations 

Randi Walters, Deputy Secretary, Programs 

David Lee, Assistant Deputy Secretary, Programs 

Craig Eichler, Chief of Staff 

Kevin J. Carson, Inspector General, OIG 

Kevin P. Guistwite, Executive Director, CSA 

Samantha Blizzard, Special Assistant, Office of the Secretary 


311 W. Saratoga Street, Baltimore, MD 21201-3500 | Tel: 1-800-332-6347 | TTY: 1-800-735-2258 | www.dhs.maryland.gov 



Driver’s License Suspension Program 


Finding 1 

Controls over driver’s license reinstatements were inadequate to ensure their propriety. 


Recommendation 1 

We recommend that CSA ensure that local offices take appropriate action, such as by 
requiring the use of the monthly reinstatement report, to ensure, at least on a test basis, 
that driver’s license reinstatements are proper and have been subject to supervisory review 
and approval as required. 

The Department’s Response: The Child Support Administration agrees with the finding. 

The Child Support Administration (CSA) agrees with the recommendation. The CSA will 
schedule training beginning June 2019 for all CSA workers and supervisors to ensure adherence 
to the policy requiring supervisory approval prior to reinstatement of a suspended driver’s 
license, and documentation of this action in the Case Action Log (CAL) within the Child Support 
Enforcement System (CSES) or subsequent system as currently being designed by the Maryland 
Total Human-Services Integrated Network (MD THINK) Project. 

There is no existing monthly reinstatement report, contrary to what is stated in the analysis and 
recommendation. The report of driver’s license reinstatements provided during the audit is not a 
standard monthly report and would be prohibitively expensive to produce on a monthly basis. 

The report provided to the auditors was a one-time, ad-hoc report developed at their request to 
assist in the audit. 

Auditor’s Comment : CSA’s response indicates that the report of driver’s license 
reinstatements would be too expensive to regularly produce. However, as noted in the 
finding, without an automated report of all recorded reinstatements in CSES, it would not 
be possible to ensure that all driver’s license reinstatements were subject to the required 
supervisory review. 

Nevertheless, the CSA Office of Internal Audit and Quality Assurance will periodically, on a test 
basis, monitor local office adherence to the aforementioned process and request corrective 
actions for non-compliance, when required. CSA will also explore the possibility of producing a 
reinstatement report in the future as MD THINK is developed and implemented. 





Child Support Account Adjustments 


Finding 2 

CSA could not always provide evidence of supervisory reviews of child support account 
adjustments by independent personnel. _ 


Recommendation 2 

We recommend that CSA ensure that account adjustments are subject to a documented 
monthly review by an independent supervisor on a test basis, as required. 

The Department’s Response: The Child Support Administration agrees with the finding. 

The Child Support Administration (CSA) agrees with the recommendation. CSA and local 
office management collaborated in the development and implementation of a standard process 
for child support account adjustments and supervisory review at the local office level. 

In addition, CSA’s Office of Internal Audit and Quality Assurance will periodically, on a test 
basis, monitor local office adherence to the aforementioned process and request corrective 
actions for non-compliance, when required. 

Of the $15 million in child support account adjustments processed, there were no instances of 
erroneous, fraudulent, or inappropriate transactions detected during the audit. 

Auditor’s Comment : CSA’s response indicates that there were no instances of 
erroneous, fraudulent, or inappropriate transactions detected during the audit with respect 
to the $15 million in child support account adjustments. It is important to clarify that the 
propriety of all $15 million in adjustments is actually unknown, as the audit was not 
intended to nor did it include a review of the entire population of these adjustments. Our 
recommendation, if implemented, will provide necessary safeguards over the processing 
of adjustments to help ensure their propriety. 






Child Support Enforcement System Access 


Finding 3 

CSA did not ensure that central and local office personnel conducted periodic reviews of 
employee access to CSES, as required and we noted that critical access had been 
unnecessarily granted to certain employees. 


Recommendation 3 
We recommend that CSA 

a. comply with the aforementioned DHS Handbook and ensure that each employee’s 
access to CSES is reviewed annually and that the reviews are documented; and 

b. remove any unnecessary CSES access, including those noted above. 


The Department’s Response: The Child Support Administration agrees with the finding. 

a. The Child Support Administration (CSA) agrees with Recommendation A. A periodic 
review of access levels will be conducted and documented during annual employee 
performance reviews (June and December) beginning June 2019. 

b. CSA agrees with Recommendation B. CSA has already adjusted access to reflect current 
job functions for the fifteen (15) individuals identified during the audit who had 
unwarranted access to specific attributes of the Child Support Enforcement System 
(CSES). In addition, CSA will remove any unnecessary CSES access discovered as a 
result of the periodic reviews. 






New Hire Registry Contract Security Requirements 


Finding 4 

CSA did not ensure that the vendor responsible for administering the State’s new hire 
registry complied with the contract’s system security requirements and safeguarded 
sensitive personally identifiable information on Maryland workers. 


Recommendation 4 
We recommend that 

a. CSA ensure that the vendor is properly complying with the contract’s system 
security requirements and, specifically, that all PII maintained on the vendor registry is 
adequately protected; and 

b. future contracts for the new hire registry include, as appropriate, a requirement for 
the vendor to obtain periodic SOC 2 Type 2 reviews, and that CSA obtain and review the 
resulting reports to ensure that sensitive worker data maintained by the vendor is properly 
safeguarded. 

The Department’s Response: The Child Support Administration agrees with the finding. 

a. The Child Support Administration (CSA) agrees with Recommendation A. The contract 
with the current new hire registry vendor will expire in September 2019, and CSA is 
preparing a new request for proposal (RFP) for this service. Specific measures will be 
implemented to protect sensitive personally identifiable infonnation (PII) of Maryland 
employees. 

b. CSA agrees with Recommendation B. The new RFP will require periodic SOC 2 Type 2 
reviews, and CSA will obtain and review reports to ensure that any sensitive PII 
maintained by the vendor is properly safeguarded. 






Monitoring of Interagency Agreement 


Finding 5 

CSA did not properly monitor its interagency agreement with a State university for 
compliance with the agreement terms and did not ensure required services were provided. 
Payments related to the agreement totaled $5.7 million. 


Recommendation 5 
We recommend that CSA 

a. ensure that all required contract deliverables are provided before approval of 
payments; 

b. adequately document receipt of all requirements and deliverables under the 
aforementioned agreement, including those for the application development function; 

c. ensure that, as applicable, information technology work performed under 
interagency agreements complies with the State Information Security Policy ; and 

d. in consultation with legal counsel, resolve the dispute over ownership of the 
“dashboard” application. 

The Department’s Response: The Child Support Administration agrees with the finding. It 
should be noted that, while monitoring and documentation of receipt of deliverables will be 
improved, the required services pursuant to this interagency agreement were in fact provided. 

a. The Child Support Administration (CSA) agrees with Recommendation A. CSA will 
ensure on a monthly basis that a report on LAN activities is received prior to payment of 
invoices. Additionally, all periodic meetings with the State University will be 
documented. 

b. CSA agrees with Recommendation B. CSA will continue to use an agile methodology. 
CSA will, however, immediately improve the documenting and monitoring of application 
development to ensure that requirements and deliverables are documented on a monthly 
basis. 

c. CSA agrees with Recommendation C. The portion of the contract involving information 
technology (IT) work will be integrated into the new child support system currently being 
developed by MD THINK, thereby ensuring the IT work is developed in compliance with 
State’s Information Security Policy. 

d. CSA agrees with Recommendation D. The agreement between CSA and the university 
which covers the “dashboard” is silent with regards to ownership. CSA will continue to 
work with the Office of the Attorney General (OAG) and the university attorneys to 
resolve the dispute over ownership. 






Bank Accounts 


Finding 6 

Controls were inadequate over CSA’s checking account that was used to process certain 
refund payments, and outstanding checks were not forwarded to the Comptroller of 
Maryland as abandoned property when required. 


Recommendation 6 

We recommend that CSA ensure that 

a. authorized check signers do not have access to check stock or the ability to process 
checks on the automated system; 

b. administrative rights are assigned to an employee who has no checking account 
responsibilities; and 

c. checks that remain outstanding for longer than three years are voided and the 
associated funds are forwarded to the Comptroller of Maryland as abandoned property, as 
required. 

We advised CSA on accomplishing the necessary separation of duties using existing 
personnel. 


The Department’s Response: The Child Support Administration agrees with the finding. 

a. The Child Support Administration (CSA) agrees with Recommendation A. CSA ensured 
that adequate separation of duties was completed during the beginning of the audit in Fall 
2017 to mitigate the risk of fraud or misappropriation of assets. Additionally, dual 
signatures are required for all disbursements and all source documentation is reviewed 
and approved by CSA’s senior management. 

b. CSA agrees with Recommendation B. To strengthen the controls and further mitigate the 
risk of fraud or misappropriation of assets, the individual with administrative privileges is 
not a signatory relative to the bank account. 

c. CSA agrees with Recommendation C. Regarding the outstanding checks, since the 
aforementioned checks are outside of the annual automated abandoned property process, 
CSA is in the process of the development and implementation of a manual process to be 
completed by or before October 2019. This process will ensure outstanding checks are 
forwarded to the Comptroller of Maryland as abandoned property when required. 
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